Changeset 287315 in webkit

Timestamp:

Dec 21, 2021 8:09:07 AM (7 months ago)

Author:

J Pascoe

Message:

[WebAuthn] Authenticator is not falling back to clientPIN after internal verification fails and is blocked.
​https://bugs.webkit.org/show_bug.cgi?id=232501
<rdar://problem/84913636>

Reviewed by Darin Adler.

Whenever internal uv gets blocked, the user agent should fall back to using a pin for user verification. This
Source/WebKit:

patch starts doing that by going into the pin flow whenever the authenticator returns the pin required error
code.

Added API test for fallback.

• UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:

(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::getAssertion):
(WebKit::CtapAuthenticator::tryRestartPin):

Tools:

adds an API test to verify this behavior.

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp (modified) (4 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (4 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-hid-internal-uv-pin-fallback.html (added)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-12-21  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Authenticator is not falling back to clientPIN after internal verification fails and is blocked.
+        https://bugs.webkit.org/show_bug.cgi?id=232501
+        <rdar://problem/84913636>
+
+        Reviewed by Darin Adler.
+
+        Whenever internal uv gets blocked, the user agent should fall back to using a pin for user verification. This
+        patch starts doing that by going into the pin flow whenever the authenticator returns the pin required error
+        code.
+
+        Added API test for fallback.
+
+        * UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
+        (WebKit::CtapAuthenticator::makeCredential):
+        (WebKit::CtapAuthenticator::getAssertion):
+        (WebKit::CtapAuthenticator::tryRestartPin):
+
 2021-12-21  Kimmo Kinnunen  <kkinnunen@apple.com>
 

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp

@@ -74 +74 @@
     case CtapDeviceResponseCode::kCtap2ErrPinInvalid:
     case CtapDeviceResponseCode::kCtap2ErrPinBlocked:
+    case CtapDeviceResponseCode::kCtap2ErrPinRequired:
         return true;
     default:
@@ -97 +98 @@
     auto internalUVAvailability = m_info.options().userVerificationAvailability();
     // If UV is required, then either built-in uv or a pin will work.
-    if (internalUVAvailability == UVAvailability::kSupportedAndConfigured && (!options.authenticatorSelection || options.authenticatorSelection->userVerification != UserVerificationRequirement::Discouraged))
+    if (internalUVAvailability == UVAvailability::kSupportedAndConfigured && (!options.authenticatorSelection || options.authenticatorSelection->userVerification != UserVerificationRequirement::Discouraged) && m_pinAuth.isEmpty())
         cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability);
     else if (m_info.options().clientPinAvailability() == AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet)
@@ -142 +143 @@
     auto internalUVAvailability = m_info.options().userVerificationAvailability();
     // If UV is required, then either built-in uv or a pin will work.
-    if (internalUVAvailability == UVAvailability::kSupportedAndConfigured && options.userVerification != UserVerificationRequirement::Discouraged)
+    if (internalUVAvailability == UVAvailability::kSupportedAndConfigured && options.userVerification != UserVerificationRequirement::Discouraged && m_pinAuth.isEmpty())
         cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, options, internalUVAvailability);
     else if (m_info.options().clientPinAvailability() == AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet && options.userVerification != UserVerificationRequirement::Discouraged)
@@ -344 +345 @@
     case CtapDeviceResponseCode::kCtap2ErrPinAuthInvalid:
     case CtapDeviceResponseCode::kCtap2ErrPinInvalid:
+    case CtapDeviceResponseCode::kCtap2ErrPinRequired:
         getRetries();
         return true;

trunk/Tools/ChangeLog

@@ +1 @@
+2021-12-21  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Authenticator is not falling back to clientPIN after internal verification fails and is blocked.
+        https://bugs.webkit.org/show_bug.cgi?id=232501
+        <rdar://problem/84913636>
+
+        Reviewed by Darin Adler.
+
+        Whenever internal uv gets blocked, the user agent should fall back to using a pin for user verification. This
+        adds an API test to verify this behavior.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (TestWebKitAPI::TEST):
+
 2021-12-21  Sam Weinig  <weinig@apple.com>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -299 +299 @@
                 51EB126724CB8753000CB030 /* SunLightApplicationGenericNES.mm in Sources */ = {isa = PBXBuildFile; fileRef = 51EB126624CB8493000CB030 /* SunLightApplicationGenericNES.mm */; };
                 520BCF4C141EB09E00937EA8 /* WebArchive_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 520BCF4A141EB09E00937EA8 /* WebArchive_Bundle.cpp */; };
+                521D1B7327713E80003900C5 /* web-authentication-get-assertion-hid-internal-uv-pin-fallback.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 521D1B7227713E80003900C5 /* web-authentication-get-assertion-hid-internal-uv-pin-fallback.html */; };
                 5245178721B9F57B0082CB34 /* RenderingProgressPlugIn.mm in Sources */ = {isa = PBXBuildFile; fileRef = 52D5D6BE21B9F1B20046ABA6 /* RenderingProgressPlugIn.mm */; };
                 524BBC9E19DF72C0002F1AF1 /* file-with-video.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 524BBC9B19DF3714002F1AF1 /* file-with-video.html */; };
@@ -1580 +1581 @@
                                 CD577799211CE0E4001B371E /* web-audio-only.html in Copy Resources */,
                                 57663DF32357E48900E85E09 /* web-authentication-get-assertion-hid-cancel.html in Copy Resources */,
+                                521D1B7327713E80003900C5 /* web-authentication-get-assertion-hid-internal-uv-pin-fallback.html in Copy Resources */,
                                 52C8C13A2706439000BDF3B7 /* web-authentication-get-assertion-hid-internal-uv.html in Copy Resources */,
                                 579F1C0123C93AF500C7D4B4 /* web-authentication-get-assertion-hid-multiple-accounts.html in Copy Resources */,
@@ -2092 +2094 @@
                 520BCF4A141EB09E00937EA8 /* WebArchive_Bundle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebArchive_Bundle.cpp; sourceTree = "<group>"; };
                 520BCF4B141EB09E00937EA8 /* WebArchive.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebArchive.cpp; sourceTree = "<group>"; };
+                521D1B7227713E80003900C5 /* web-authentication-get-assertion-hid-internal-uv-pin-fallback.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; name = "web-authentication-get-assertion-hid-internal-uv-pin-fallback.html"; path = "Tests/WebKitCocoa/web-authentication-get-assertion-hid-internal-uv-pin-fallback.html"; sourceTree = "<group>"; };
                 524BBC9B19DF3714002F1AF1 /* file-with-video.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "file-with-video.html"; sourceTree = "<group>"; };
                 524BBC9C19DF377A002F1AF1 /* WKPageIsPlayingAudio.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKPageIsPlayingAudio.cpp; sourceTree = "<group>"; };
@@ -3165 +3168 @@
                         isa = PBXGroup;
                         children = (
+                                521D1B7227713E80003900C5 /* web-authentication-get-assertion-hid-internal-uv-pin-fallback.html */,
                                 52C8C1392706439000BDF3B7 /* web-authentication-get-assertion-hid-internal-uv.html */,
                                 52C8C1372706437C00BDF3B7 /* web-authentication-make-credential-hid-internal-uv.html */,

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@ -1252 +1252 @@
 }
 
+TEST(WebAuthenticationPanel, GetAssertionInternalUVPinFallback)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-hid-internal-uv-pin-fallback" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    [[configuration preferences] _setEnabled:NO forExperimentalFeature:webAuthenticationModernExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    [webView focus];
+
+    webAuthenticationPanelPin = "1234";
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Succeeded!"];
+}
+
 TEST(WebAuthenticationPanel, GetAssertionPinAuthBlockedError)
 {